package org.springframework.security.web.authentication.session;

import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.util.Assert;

/* loaded from: input_file:spg-admin-ui-war-2.1.53.war:WEB-INF/lib/spring-security-web-3.1.1.RELEASE.jar:org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.class */
public class ConcurrentSessionControlStrategy extends SessionFixationProtectionStrategy implements MessageSourceAware {
    private final SessionRegistry sessionRegistry;
    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private boolean exceptionIfMaximumExceeded = false;
    private int maximumSessions = 1;

    public ConcurrentSessionControlStrategy(SessionRegistry sessionRegistry) {
        Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");
        super.setAlwaysCreateSession(true);
        this.sessionRegistry = sessionRegistry;
    }

    @Override // org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy, org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
    public void onAuthentication(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        checkAuthenticationAllowed(authentication, httpServletRequest);
        super.onAuthentication(authentication, httpServletRequest, httpServletResponse);
        this.sessionRegistry.registerNewSession(httpServletRequest.getSession().getId(), authentication.getPrincipal());
    }

    private void checkAuthenticationAllowed(Authentication authentication, HttpServletRequest httpServletRequest) throws AuthenticationException {
        HttpSession session;
        List<SessionInformation> allSessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
        int size = allSessions.size();
        int maximumSessionsForThisUser = getMaximumSessionsForThisUser(authentication);
        if (size >= maximumSessionsForThisUser && maximumSessionsForThisUser != -1) {
            if (size == maximumSessionsForThisUser && (session = httpServletRequest.getSession(false)) != null) {
                Iterator<SessionInformation> it = allSessions.iterator();
                while (it.hasNext()) {
                    if (it.next().getSessionId().equals(session.getId())) {
                        return;
                    }
                }
            }
            allowableSessionsExceeded(allSessions, maximumSessionsForThisUser, this.sessionRegistry);
        }
    }

    protected int getMaximumSessionsForThisUser(Authentication authentication) {
        return this.maximumSessions;
    }

    protected void allowableSessionsExceeded(List<SessionInformation> list, int i, SessionRegistry sessionRegistry) throws SessionAuthenticationException {
        if (this.exceptionIfMaximumExceeded || list == null) {
            throw new SessionAuthenticationException(this.messages.getMessage("ConcurrentSessionControlStrategy.exceededAllowed", new Object[]{Integer.valueOf(i)}, "Maximum sessions of {0} for this principal exceeded"));
        }
        SessionInformation sessionInformation = null;
        for (SessionInformation sessionInformation2 : list) {
            if (sessionInformation == null || sessionInformation2.getLastRequest().before(sessionInformation.getLastRequest())) {
                sessionInformation = sessionInformation2;
            }
        }
        sessionInformation.expireNow();
    }

    public void setExceptionIfMaximumExceeded(boolean z) {
        this.exceptionIfMaximumExceeded = z;
    }

    public void setMaximumSessions(int i) {
        Assert.isTrue(i != 0, "MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
        this.maximumSessions = i;
    }

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    @Override // org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
    public final void setAlwaysCreateSession(boolean z) {
        if (!z) {
            throw new IllegalArgumentException("Cannot set alwaysCreateSession to false when concurrent session control is required");
        }
    }
}
